A new targeted guidance document entitled “Data Act FAQ for DPOs” (the Guidance) created by the Confederation of European Data Protection Organisations (CEDPO) EU Digital Strategy Working Group has been published. It offers a DPO focused breakdown of the EU Data Act (the Act) explaining its scope, key definitions, and practical compliance steps. The Guidance clarifies who the Act applies to, distinguishes between personal and non-personal data, minimising risks (including data protection risks) associated with the Act, and describes obligations for data holders. The Guidance is designed specifically to support the DPO community to facilitate a better understanding and interpretation of the Act, how to manage risks, and support organisations as the Act comes into force over the next two years.

The Data Act 

The Act establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive control exercised by many data holders such as manufacturers and cloud service providers. UK businesses operating in the EU must now ensure that they are compliant with the provisions of the Act being mindful of the need to review and revise contractual frameworks and data governance strategies to comply with these obligations. The Act aims to make data more accessible and usable for everyone through data sharing mechanisms and applies to organisations and persons who are responsible for producing, processing or using, managing, and sharing data derived from smart technology in the EU.

GDPR 

As stated in the Guidance, DPOs are increasingly required to extend their expertise beyond the GDPR advising on a wider range of data governance and compliance issues. Although not a data-protection law, the Act works closely alongside the GDPR and affects how organisations handle both personal and non-personal data. For DPOs and data practitioners alike, the Act introduces new user rights, new obligations for data holders, and practical challenges in aligning data-sharing requirements with GDPR principles. It is worth noting that the Act operates without prejudice to the GDPR, meaning that the GDPR takes precedence over the Act and consequently, processing of personal data must have a valid legal ground. 

The Guidance serves as a useful source for DPOs wanting a practical and user-friendly guide to the Act and its implications for in-scope, everyday business situations. While the Guidance was drafted prior to the European Commission’s Digital Omnibus Regulation Proposal and may be subject to future adjustments, for now, it is a useful tool for organisations (specifically DPOs) preparing operational and governance strategies under the evolving EU data landscape. Organisations should also be alive to the phased implementation of the Act; see our previously published article on the key implementation milestones.